Merge pull request #51 from sunnyflunk/patches

packaging: Add info about CVE .nopatch
2017-05-31 14:20:08 +03:00 · 2017-05-31 14:20:08 +03:00 · ab83de06a5
parent cbecc34d3e 28eb90337a
commit ab83de06a5
1 changed files with 2 additions and 0 deletions
--- a/packaging/packaging-practices/en.md
+++ b/packaging/packaging-practices/en.md
@ -93,6 +93,8 @@ Both patches and extra files (such as systemd units) are stored in this director

 Where `xxxx-xxxx` is replaced with the full CVE ID. Complying with this simple rule ensures that we can know at any time the security status of packages when using tools such as `cve-check-tool`

+Solus tooling allows the use of `./files/security/cve-xxxx-xxxx.nopatch` (which isn't applied in the build) to indicate that a CVE has been validated as not applicable to the Solus package. This can be because another patch resolves this CVE, or there is a false positive via `cve-check-tool`. The contents of the file can describe why it doesn't apply without requiring a patch (i.e. Resolved by cve-xxxx-xxxx.patch).
+
 ### Applying a patch

 It is common practice to apply the patch within the `setup` section of your build staging. We can achieve this using the `%patch` macro, and the `$pkgfiles` variable. In this example, the required file is located